The Importance of Protocol Analyzers in Solving Network Issues

The Importance of
Protocol Analyzers
in Today's Networks

Jim Thor – WP Professional Services

WildPackets, Inc.
www.WildPackets.com
(925) 937-3200 © WildPackets, Inc. www.wildpackets.com

The Early Days of Protocol Analysis

• We used to use Protocol Analyzers for Break/Fix
‒ Meaning we would try to fix the problem every other way before
getting the protocol analyzer out of the cabinet and trying to
figure out how to use it.

• Protocol Analyzers were mostly text based decoders
‒ Good for bit level analysis, but very hard to use when looking for
the needle in the haystack.

• You had to physically be where you wanted to
capture the packets
‒ No such thing back then as remote or distributed analysis

The Importance of Protocol Analysis © WildPackets, Inc. 2

Times Have Changed!
• Those shortcomings of early analyzers are gone
‒ Many of today’s analyzers are Graphical, Distributed and Historical

• Networks are larger and faster than ever before
‒ Getting to 40Gbps now and soon to 100Gbps

• Systems are faster and integrated into daily life
‒ There was a day when a computer was a ‘nice to have’.
‒ Most everyone now has a computer in their pocket, and uses it for
daily tasks and communications.

• Today’s networks are the life blood of businesses
‒ Without a well run network, your business may die!


Is There a Doctor in the House?

© WildPackets, Inc. www.wildpackets.com

How’s Your Network's Health?

• We have doctors to keep us healthy
‒ Businesses have Network Administrators and Engineers

• But a doctor has to have tools
‒ He has his 5 senses and he is very well educated!
‒ His knowledge alone does not make for a good doctor! He has
to be smart and have experience as well.

• You better hope your doctor has the right tools
‒ Simple tools he could have stethoscope, a thermometer, a reflex
hammer, etc
‒ These would be akin to network tools like ping, traceroute,
and logs

It’s All in the Details!
• Flow based reporting is nice…
‒ Flow information is a good start, but generally not good for
understanding the details. It’s way too generic and high level.

• Sometimes, you have to have the details, Period.
‒ But not always. There are a lot of available tools. The right tool
depends on the question.

• What is the question you are trying to answer?
‒ ‘Proof is in the Details’. With the details, you can answer
almost ANY question.
‒ Generally, every question from overall utilization to what bit is
set in a packet, can all be answered with a protocol analyzer.


The Right Tools Matter!
• The tool should not impact the Network!

• Simple tools are helpful and useful even today
‒ Simple tools like ping, tracert, etc., are still necessary and helpful

• More advanced tools are necessary
‒ Netflow, S-Flow, and SNMP are helpful, but often leave too
many questions unanswered

• With the right tools, there is NO need to guess!
‒ Detail oriented tools (packet analysis) give the answers down to
the bit level
‒ These tools can also answer questions ‘back in time’ using
Network Forensics features

Network Forensics
• Knowing what is happening on the network now
‒ Real time information is always important on any network

• Often, it is important to go ‘Back in Time’
‒ Security breaches happen before you know about them
‒ Replicating an issue is often not possible
‒ Why wait for an intermittent issue? Go ‘Back’ and see it!

• Network Forensics features allow you to go back and
find the packets from the past
‒ It may be that a server was hacked. Who did it, when, and what
else did they do or what systems did they access!
‒ Also allows for Comparative Analysis, which makes the task of
protocol analysis much easier and more accurate

The Important Features
of a Good Protocol Analyzer


The Necessary Features
Depend on Your Needs!
• Most important is Ease of Use!
‒ Protocol Analysis can be hard. Having an analyzer that is hard to
use adds unnecessary burden and time to the analysts tasks

• Distributed and Local Capture capabilities
‒ Protocol Analysis is only accurate where you are capturing, so
you usually want to capture at multiple locations to understand
what is happening across the network at various locations

• Software and Hardware Solutions
‒ Since you want to have as many capture points as possible,
having a cost effective solution for deploying at the distribution
and access switches is extremely important

Additional Items to Consider
• Speeds and Feeds.
‒ Also make sure the devices are capable of captures on multiple
interfaces simultaneously, and aggregating if necessary

• Forensics
‒ Do you need the ability to ‘Go Back in Time?” Most people do.

• Wireless
‒ Do you have any 802.11 networks? If so, make sure the analyzer you
choose supports WLAN captures.

• VoIP
‒ If you have a VoIP environment, or are planning on having one soon,
make sure to choose an analyzer that supports those needs.


How We Have Helped
• Saved lives!
‒ Yes, the results and analysis of 802.11 Wi-Fi traffic in a hospital found
the source of interference that was causing device outages
• Stopped hackers!
‒ The ongoing long term capture in a software company found the source
of the attach, and exactly which systems were compromised
• Made networks faster!
‒ Many examples of fixing network issues that were causing poor
performance. Fixing the issues made the networks much faster.
• Proved it wasn’t the network!
‒ Application vs. Network, we prove constantly who the true culprit is!
• Made the network users more productive!
‒ By fixing network, application and systems issues, all users are more
productive, including network, system, and application administrators!

The Feature Presentation


Focusing Blame or Fixing the Issue?
• Now that we know more about protocol analyzers, let’s look at a
common problem
‒ Who is to blame?

• The performance is bad, so…

• The Users are complaining…

• More importantly, where do we focus to find the issue, and fix it!
‒ Stop the Blame Game!

Let’s then now focus on solving this issue and
not focusing the blame!

The Weigh In
Create a baseline…
• Not just, “How much bandwidth am I consuming on
my network or segment?”

• Also, “How much is the X Application consuming?”
‒ What users connect to it?
‒ What outbound connections does the app do?
‒ With what ports? With what nodes? What times? How often?

• It’s impossible to predict the winner if you don’t
know your network and applications…
… and understand their behaviors.

Scoring the FIGHT
What to look for…
• Primary events are anything related to “Slow”
‒ Depending on what events we see, we will know who is at fault
• Application events:
‒ HTTP slow response time
‒ Oracle slow response time
‒ Inefficient client
• Network events:
‒ TCP SLOW segment recovery
‒ Slow retransmissions
‒ Slow acknowledgements
‒ Low throughput

Let the Expert Analysis help be the referee

Did Someone Say, "TKO"?
Get Proof…
System or Application is at fault

Network may be at fault


Who Won? The Network?
This shows that there are some slow acknowledgements that could be
network related… but keep in mind factors like distance

Let’s keep looking…


Or is it the System or Application?
This shows slow responses that are system or application related

Let’s go round by round…


Follow Events to See Who is Involved
Use the JAB
right-click option and ‘Select Related Packets’ on the event


Get the Flows, Not Just Those Packets

Here we would click on ‘Close’, keeping our 113 packets highlighted!


Do the Winning Combo… ‘Select Related’
We can UPPERCUT (right-click)
on any highlighted packet and do a ‘Select Related’, then ‘By Flow’


All the Packets – All the Flows
We have selected every packet, in every flow, with the expert event of interest


Tale of the Tape
"Scoring the Fight"

When we select
‘Slow Server
Response Time’,
two sessions to the
same server are
highlighted.

This looks like a
system or
application issue –
not the network.

But we need proof!


Visual Expert is the Proof!
Here is the proof we were looking for!
Two requests for data, two quick TCP Acks, but then a long delay
before the server sent us the data we requested.

Then the Data
Payload
Requests
and Acks gets returned Length = 0
much later

Payload
Length = 1260


A Closer Look
Looking more granular at the timing, we see that the ACK came
back in 70ms, but the data didn’t get sent back for another 854ms!

ACK fast =
Network fast

Data slow =
System slow


Tune the Expert for your network
Make these times relevant
for your network or the
task at hand!

And use the Import
and Export features
to quickly switch
when necessary


And the winner is…
You!
What we covered…

• Determining whether the application, system, or
network is at fault using TCP

• Tapping the power of ‘Select Related’ using flows to
troubleshoot root causes

• Eliminating false positives by tuning Expert Events


What’s in your network?
• Manage proactively or by exception
‒ Determine top talkers, nodes, and protocols
‒ Receive early warnings of performance problems anywhere in the network and
then quickly drill down for expert analysis
‒ No need to reproduce issues, simply “replay the tape” (network forensics)
• Monitor the entire network
‒ Identify issues and optimize VoIP and Video quality of service
‒ Measure quality of services applications are delivering to end users
‒ Evaluate network utilization for capacity planning and upgrades
• Optimize and secure your Wireless infrastructure
‒ Identify and fill security holes such has weak encryption or rogue access points
‒ Determine gaps in service across access points
• Extend the capabilities for custom applications
‒ Develop plug-ins to integrate with proprietary equipment
‒ Build decodes for proprietary protocols


About WildPackets


Corporate Overview
Pioneer and global leader in network and application
performance monitoring, management, and analysis.

• Our Company
‒ Founded: 1990
‒ Headquarters: Walnut Creek, CA
‒ Offices throughout US, EMEA, APAC
• Our Customers
‒ Thousands of active mid-market and enterprise customers
‒ 60+ countries / 80% of Fortune 1,000
‒ Financial, government, education, health care, telecom
• Our Products
‒ Patented, awarding-winning hardware and software solutions
that optimize network performance and eliminate downtime


Real-World Deployments
Education Financial Government

Health Care / Retail Telecom Technology


OmniPeek Network Analyzer
• Standalone Analysis and Remote Analysis UI
‒ Can be used as a portable analyzer, or standalone
‒ Can also connect and configure distributed OmniEngines/Omnipliances
• Comprehensive dashboards present network traffic in real-time
‒ Vital statistics and graphs display trends on network and application
performance
‒ Visual peer-map shows conversations and protocols
‒ Intuitive drill-down for root-cause analysis of performance bottlenecks
• Visual Expert diagnosis speeds problem resolution
‒ Packet and Payload visualizers provide business-centric views
• Automated analytics and problem detection 24/7
‒ Easily create filters, triggers, scripting, advanced alarms and alerts


Omnipliance Network Recorders
• Captures and analyzes all network traffic at the source 24x7
‒ Runs our OmniEngine intelligent probe software
‒ Generates vital statistics on network and application performance
‒ Intuitive root-cause analysis of performance bottlenecks
• Intelligent data transport
‒ Network data analyzed locally
‒ Detailed analysis passed to OmniPeek on demand
‒ Summary statistics sent to WatchPoint for long term trending and reporting
‒ Efficient use of network bandwidth
• Expert analysis speeds problem resolution
‒ Fault analysis, statistical analysis, and independent notification
• Multiple Issue Digital Forensics
‒ Real-time and post capture data mining for compliance and troubleshooting


Unprecedented Network Visibility

NETWORK HEALTH
GLOBAL WatchPoint can manage and report on key
devices’ performance and availability across
the entire network, from anywhere on the network.

UNDERSTAND END-USER PERFORMANCE
TimeLine and Omnipliance network recorders monitor
DISTRIBUTED and analyze performance across critical network
segments, virtual environments, and remote sites.

PINPOINT NETWORK ISSUES ANYWHERE
Omnipliance Portable can rapidly identify and troubleshoot
PORTABLE issues before they become major problems—wired or
wireless—down the hall or across the globe.

ROOT-CAUSE ANALYSIS
OmniPeek network analyzer performs deep packet inspection
DPI and can reconstruct all network activity, including e-mail and
IM, as well as analyze VoIP and video traffic quality.


WildPackets Product Lines

Software and Hardware Solutions for
Portable and Distributed
Network Monitoring and Analysis


Product Offerings
Software and Turnkey Appliances
• Enterprise Monitoring and Reporting
‒ WatchPoint Server
‒ OmniFlow, NetFlow, SNMP, and sFlow Collectors
• Network Probes & Recorders
‒ Omnipliance Network Recorders – Edge, Core
‒ TimeLine Network Recorder
‒ OmniAdapter Analysis Cards
• Portable Hardware Solutions
‒ Omnipliance Portable
• Windows based Software Solutions
‒ OmniPeek software – Enterprise, Professional, Basic, Connect
‒ OmniEngine software – Enterprise, Desktop, OmniVirtual


Omnipliance Network Recorders
Price/performance solutions for every application

Portable Edge Core TimeLine
Ruggedized Small Networks / Regional Offices / Datacenter
Troubleshooting Remote Offices Small Datacenter Workhorse
Chassis 1U 3U 3U

Memory 24GB 4 GB 6 GB 18 GB

Expansion 2 PCI-E 2 PCI-E 4 PCI-E 4 PCI-E

Storage 6 TB 1 TB 8 TB / 16 TB 8 TB / 16 TB / 32 TB

Max. CTD 4.5Gbps 1Gbps 3.8Gbps 11+Gbps


Comprehensive Support and Services
Standard Support Premier Support
 Maintenance and upgrades  24 x 7 x 365
 Telephone and email contacts  Dedicated escalation manager
 Knowledgebase  2 customer contacts per site
 MyPeek Portal  Plug-in reconfiguration assistance

WildPackets Training Academy
 Public, web-based, and on-site classes
 Complete curriculum: Technology and product focused
 Practical applications and labs covering network analysis,
wireless, VoIP monitoring and advanced troubleshooting

Consulting and Custom Development Services
 Deployment, configuration, and assessment engagement
 Systems integration and testing
 Application integration, driver, decode, interface development


Key Differentiators
• High-level network monitoring to root-cause analysis
• Single solution for today’s converged networks
‒ Wired, Wireless, 1GB, 10GB, VoIP, Video, TelePresence, IPTV
• Reduce and even eliminate network downtime
‒ Automated monitoring 24x7
‒ Speedy resolution of network bottlenecks
• Improve network and application performance
• Uniquely extensible platform – tailored to your needs
‒ Plug-ins and APIs for integration and customization
• Fastest capture to disk performance in the industry


Thank You!
& Questions…
Check out MyPeek! @ mypeek.wildpackets.com

Follow us on SlideShare!
Check out today’s slides on SlideShare
WildPackets, Inc. www.slideshare.net/wildpackets
www.WildPackets.com
(925) 937-3200 © WildPackets, Inc. www.wildpackets.com

The Importance of Protocol Analyzers in Solving Network Issues

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (15)

Destaque

Destaque (7)

Semelhante a The Importance of Protocol Analyzers in Solving Network Issues

Semelhante a The Importance of Protocol Analyzers in Solving Network Issues (20)

Último

Último (20)

The Importance of Protocol Analyzers in Solving Network Issues